httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Fwd: Untainting an incoming request
Date Fri, 06 Aug 2010 08:45:49 GMT
This (among others) seems to have got lost in the ether.

Dan, I did reply to your comments :)

Begin forwarded message:

> From: Nick Kew <nick@webthing.com>
> Date: 28 July 2010 23:38:10 GMT+01:00
> To: dev@httpd.apache.org
> Subject: Re: Untainting an incoming request
> 
> 
> On 28 Jul 2010, at 13:13, Dan Poirier wrote:
> 
>> Example usage?
>> 
>> Just to better understand the scope, can this do things that one
>> couldn't do (however painfully) with mod_rewrite?
> 
> Very likely not (that's not the purpose of it).  Complexity - and hence
> a mod_rewrite-based alternative - is the enemy of security.  Merging
> duplicate request headers is a simplicity feature that would not sit
> so well in mod_rewrite, and without it we have huge complexity in
> devising untainting rules!
> 
> I did indeed contemplate implementing the function with an "untaint" directive 
> in  mod_rewrite, that would translate to a RewriteCond+RewriteRule pair.
> But that's asking for trouble: giving every future tweak to mod_rewrite
> potential to impact on or break a security feature.
> 
> -- 
> Nick Kew


Mime
View raw message